DEFISECURITY

Cream Finance hacked, flash loan attack takes away over 100 million USD and leaves a message

share
Cream Finance hacked, flash loan attack takes away over 100 million USD and leaves a message

On the evening of the 27th at 21:54, a major attack occurred where the multi-chain lending platform Cream Finance suffered significant asset losses on the Ethereum blockchain. Cybersecurity firm PeckShield issued a flash loan attack warning at 22:12, with subsequent calculations estimating losses amounting to $130 million worth of assets.

At 23:04, Cream Finance stated that they are investigating the attack; a few hours later, the official confirmation revealed that around $130 million worth of assets were compromised, and they have currently suspended the use of the Ethereum lending market.

How did the Cream Finance hack occur?

The cybersecurity company PeckShield stated that the attack was due to a pricing manipulation vulnerability in Cream Finance's oracle, allowing all funds in the lending pools to be borrowed. The funds used to carry out this attack were obtained through the privacy protocol TornadoCash, and the stolen funds were continuously exchanged through ParaSwap and Uniswap.

Message left by the attacker

"gÃTµ Baave lucky, iron bank lucky, cream not. ydev: incest bad, dont do"

Previously, Cream Finance's Iron Bank was also attacked.